Back to Guides

OpenVPN installation on Linux

This terminal-based guide walks you through the steps to connect to Mullvad VPN servers using OpenVPN.

We advise you to run a later version of OpenVPN as versions older than 2.4.0 don't perform very well.
 

Installation instructions

Follow the instructions for your particular Linux distribution.

Ubuntu 16.04, 18.04 and Debian 8, 9

  1. In a browser, navigate to our Configuration files page.
  2. Follow the instructions on that page to download a configuration file.
  3. Open up a terminal and navigate to the directory where you downloaded the file (usually ~/Downloads/).
  4. Open a terminal and issue the command "unzip xxxx_xx.zip" (replace xxxx_xx.zip with the name of the file you downloaded).
  5. Issue "sudo apt-get update && sudo apt-get upgrade".
  6. Issue "sudo apt-get install openvpn".
  7. Copy the following files to /etc/openvpn/ (use sudo):
    - mullvad_ca.crt
    - mullvad_crl.pem
    - mullvad_xx.conf
    - mullvad_userpass.txt
  8. Start OpenVPN with either "sudo service openvpn start" or "sudo nohup openvpn --config /etc/openvpn/mullvad_xx.conf" (where xx is the country or region you selected).
  9. To check whether or not you are connected to Mullvad, you can run "curl https://am.i.mullvad.net". If the IP address that returns is different than your known IP, then you are connected.

Using NetworkManager on Ubuntu 16.04 or newer

  1. Open a terminal and issue "sudo apt-get install openvpn network-manager-openvpn network-manager-openvpn-gnome".
  2. In a browser, navigate to our Configuration files page.
  3. Fill out the form. Under Platform, Android needs to be selected.
  4. Click Download to save the configuration file.
  5. Open the downloaded file and remove both "<crl-verify>" and "</crl-verify>", and everything in between, then save the file. This must be done because Network Manager doesn't like inline crl.
  6. Click on the Network icon.
  7. Click on VPN-Connections > Configure VPN.
  8. Click on Add.
  9. Select Import a saved vpn configuration.
  10. Navigate to where you saved the downloaded file, select it and then click open.
  11. In the user name field, enter your Mullvad account number.
  12. In the password field, enter "m".
  13. Click Save.
  14. Issue "sudo nano -w /etc/NetworkManager/NetworkManager.conf" and change "dns=dnsmasq" to "#dns=dnsmasq", then save.
  15. Issue "sudo service network-manager restart" in a terminal.
  16. Click on Network icon > VPN Connections > Mullvad_xx ("xx" is the country you selected to connect).

Fedora

  1. Navigate to our Configuration files page.
  2. Follow the instructions on that page to download a configuration file.
  3. Open up a terminal and navigate to the directory where you downloaded the file (usually ~/Downloads/).
  4. Run the command "unzip xxxx_xx.zip" (replace xxxx_xx.zip with the name of the file you downloaded).
  5. Issue "sudo dnf install openvpn resolvconf".
  6. Copy the following files to /etc/openvpn/ (use sudo):
    - mullvad_ca.crt
    - mullvad_crl.pem
    - mullvad_xx.conf
    - mullvad_userpass.txt
    - update-resolv.conf
  7. Issue "sudo chmod 755 /etc/openvpn/update-resolv.conf".
  8. Start OpenVPN with either "sudo service openvpn start" or "sudo nohup openvpn --config /etc/openvpn/mullvad_xx.conf" (where xx is the country or region you selected).
  9. To check whether or not you are connected to Mullvad, you can run "curl https://am.i.mullvad.net".
     

Disabling auto-start

By default, OpenVPN will be installed as a service, meaning that it will automatically start when you boot up your computer. You can disable this behavior by changing /etc/default/openvpn so that "AUTOSTART=none" is set.

You will then have to manually start OpenVPN each time, with the command "sudo service openvpn restart".
 

Switching to a different server

In this example, we are changing from the default se server to the se-got-001 server.

  1. Open your .conf file (for example, mullvad_config_se.conf).
  2. Replace the first "remote se.mullvad.net 1300" with either "remote se-got-001.mullvad.net 1300" or "remote 185.213.154.131 1300" (the second example uses the server's IP address).
  3. Save the file and then restart OpenVPN.
     

Enabling a kill switch

This example assumes that your network interfaces are on eth* and that you want to connect to our Swedish or Dutch servers and your DNS is set to use our public one.

Issue the following in a terminal, replacing the IP ranges or IP addresses with the servers you wish to use. 193.138.218.74 is for our public DNS.

sudo iptables -P OUTPUT DROP
sudo iptables -A OUTPUT -o tun+ -j ACCEPT
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT
sudo iptables -A OUTPUT -d 255.255.255.255 -j ACCEPT
sudo iptables -A INPUT -s 255.255.255.255 -j ACCEPT
sudo iptables -A OUTPUT -o eth+ -p udp -m multiport --dports 53,1300:1302,1194:1197 -d 185.213.152.0/24,185.65.134.0/24,185.65.135.0/24,193.138.219.0/24,193.138.218.0/24,185.213.154.0/24 -j ACCEPT
sudo iptables -A OUTPUT -o eth+ -p tcp -m multiport --dports 53,443 -d 185.213.152.0/24,185.213.154.0/24,193.138.218.0/24,185.65.134.0/24,185.65.135.0/24,193.138.218.0/24 -j ACCEPT
sudo iptables -A OUTPUT -o eth+ ! -d 193.138.218.74 -p tcp --dport 53 -j DROP
sudo ip6tables -P OUTPUT DROP
sudo ip6tables -A OUTPUT -o tun+ -j ACCEPT

 

Troubleshooting

I have disabled IPv6 and OpenVPN exits with a fatal error.
Edit the OpenVPN configuration and make the following changes:

  1. replace proto udp with proto udp4.
  2. replace proto tcp with proto tcp4.
  3. add pull-filter ignore "route-ipv6"
  4. add pull-filter ignore "ifconfig-ipv6"

WARNING: If you add these options on a device that has working IPv6, then you will leak IPv6. Make sure you verify this before making changes.
 

Is your browser putting your privacy at risk?

Even while you're connected to Mullvad, your browser could still be leaking information and therefore jeopardizing your privacy. Visit am.i.mullvad.net to get a quick overview of your connection status.